Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker (39 page)

I
’d fallen into a comfortable routine as a new citizen of Denver. During the day, I’d go into work at the law firm on a regular shift from about 9:00 to 6:00. Afterward, I’d go to the gym for a few hours, grab dinner at a local restaurant, then head home or back to the law firm and spend until bedtime doing you know what.

Hacking was my entertainment. You could almost say it was a way of escaping to an alternate reality—like playing a video game. But to play my game of choice, you had to stay alert at all times. One lapse in attention or sloppy mistake, and the Feds could show up at your door. Not the simulated G-men, not the black wizards of Dungeons and Dragons, but the real, honest-to-God, lock-you-up-and-throw-away-the-key Feds.

At the time, I was busy finding systems to explore and ways to match wits with the security experts, network and system administrators, and clever programmers I encountered in my alternate reality. I was doing it purely for the thrill.

Since I couldn’t really share my exploits with anyone, I set my sights on obtaining the source code for things that interested me, such as operating systems and cellular phones. If I could get the code, it would be my trophy. I was becoming so good at it that sometimes it seemed too easy.

Now that I had put everything on the line by cutting ties with my former life, I had nothing to lose. I was primed and ready. How could I
raise the stakes? What could I do that would make every hack that came before it seem like child’s play?

The world’s leading tech companies supposedly had the best security in the world. If I really wanted trophies that meant something, I was going to have to try to hack into them and get their code.

I had already had good success with Sun. Now I targeted Novell, which, I discovered, used a server running the SunOS operating system as its firewall gateway. I exploited a bug in a program called “sendmail,” which was used, among other things, to receive email from the outside world. My goal was to get the source code for one of the leading network operating systems in the world, Novell’s NetWare.

I was able to create any file with any content I wanted by exploiting an unpatched security flaw in the sendmail program. I would connect over the network to the sendmail program and type in a few commands like these:

These commands caused the sendmail program to create a “.rhosts” file (pronounced “dot-R-hosts”), which makes it possible to log in without a password.

(For the technical reader, I was able to create a .rhosts file in the bin account configured to allow me to log in without having to provide a password. A .rhosts file is a configuration file used with certain legacy system programs known as the “R-services,” which are used for logging in or executing commands on a remote computer. For example, a .rhosts file can be configured to allow the user “kevin” from the hostname “condor” to log in without providing a password. In the example above, two
plus signs separated by a space provides a wildcard for both the user and the hostname of the computer—meaning that any user can log in to the account or execute commands. Because the bin account had write access to the “/etc” directory, I was able to replace the password file with my own modified version that allowed me to gain root access.)

Next I installed a hacked version of “telnetd” that would capture and store the password of anyone who logged in to the Novell gateway machine. As I was getting myself established on Novell’s network, I saw that two other users were logged in and active. If they happened to notice that somebody else was logged in from a remote location, they would immediately know that the company was being hacked. So I took steps that made me invisible: if any system administrator called up a list of everyone who was on the system at that time, I wouldn’t show up.

I continued watching until one of the administrators logged in to the gateway; I was then able to capture his password for the root account. The password was “4kids=$$.” Cute.

It didn’t take me long to get into another system called “ithaca,” which was one of the Engineering Group’s systems in Sandy, Utah. Once I compromised that system, I was able to retrieve the encrypted password file for the entire Engineering Group and recover the passwords of a large number of users.

I searched the system administrators’ email for the keywords “modem,” “dial-up,” and “dial-in” in various forms—singular, plural, with and without a hyphen following “dial,” and so on—which led me to messages answering employee questions such as “What number do I use to dial in?” Very handy.

Once I found a dial-up, I started using that as my access point rather than going in through Novell’s Internet gateway.

For starters, I wanted to find the system that contained the source code for the NetWare operating system. I started searching through the email archives of the developers, looking for certain words that might lead me to the process used to commit updates to the source code repository. I eventually found the hostname of the source code repository: “ATM.” It wasn’t a cash machine, but to me it was worth much more than money. I then went searching back through emails looking for “ATM” and found the names of a few employees who supported the system.

I spent hours trying to log in to ATM using the Unix-based credentials I had intercepted, but without success. Finally I was able to find a valid account, but it didn’t have rights to access the source code repositories. Time for my standard fallback: social engineering. I called the number for a lady who worked in support on ATM. Using the name of an engineer whose password I had cracked, I told her I was working on a project and needed access to the Netware 3.12 client source code. My gut told me something just wasn’t right, but the lady didn’t sound at all hesitant.

When she came back on the line and told me she had given me the rights I’d requested, I felt a familiar surge of adrenaline. But after only fifteen minutes, my session was disconnected, and I couldn’t reconnect—I was locked out. Moments later the engineer changed his password. Uh-oh. That didn’t take long to figure out. Later I learned that the lady had had previous conversations with the engineer whose name I used, and realized my voice didn’t sound like his. She knew I was an imposter. Damn! Well, win some, lose some.

I called another administrator who also supported ATM and convinced him to add access rights to one of the other accounts I had compromised, only to be locked out again. I also placed backdoors in numerous systems to capture credentials as users logged in.

By now I had been working on this project for several days. Searching emails was a quick means of discovering where I could find the tasty data—the information that would lead to additional ways into the network, or to software bugs, or to source code that interested me.

Now that I knew they would be watching closely and weren’t likely to fall for the same trick again, I changed my tactics. What if I targeted a developer who had full access and tricked him into copying everything for me? I wouldn’t even need to find a way into ATM to get what I wanted.

After exploring Novell’s internal network for several days, I found a cool tool accessible to any Novell employee. The program, called “411,” listed the name, phone number, log-in name, and department of each staffer. My luck was starting to change. I dumped out the entire employee list to a file for analysis. As I looked through the list, it became clear that all the developers worked in a group called “ENG SFT.” I figured that NetWare development was likely handled out of Provo, Utah, the company headquarters.

Looking through the directory using these two criteria, I randomly chose a listing:

Nevarez, Art:801 429-3172:anevarez:ENG SFT

Now that I had my mark, I needed to pose as a legitimate Novell employee. I wanted to choose a contractor or someone else who was unlikely to be known by my target. The phone directory also contained a department named Univel that had probably been formed when Novell and AT&T’s Unix System Laboratories started up a joint venture in 1991. I needed to find an employee who wasn’t going to be in the office. My first choice was:

Nault, Gabe:801 568-8726:gabe:UNIVEL

I called and got his voicemail greeting, which very conveniently announced that he would be out of the office for the next few days, without access to email or voicemail. From the employee directory file, I picked out a lady who worked in the Telecommunications Department and dialed her number.

“Hi, Karen,” I said. “This is Gabe Nault calling from Midvale. Last night I changed my voicemail password, but it doesn’t work. Can you please reset it?”

“Sure, Gabe. What’s your number?”

I gave her Gabe’s number.

“Okay, your new password is the last five digits of your telephone number.”

I thanked her politely, immediately dialed Gabe’s phone, keyed in the digits for the new password, and recorded the outgoing greeting in my own voice, adding, “I have several meetings today, so it’s best to leave a voicemail. Thank you.” Now I was a legitimate Novell employee with an internal phone number.

I phoned Art Nevarez, told him I was Gabe Nault in Engineering, and asked, “Do you work with NetWare? I’m in the Univel Group.”

“Yes,” he said.

“Great. Can you do me a big favor? I’m working on the NetWare for Unix project, and I need to move a copy of the NetWare 3.12 client source code to one of our boxes here in Sandy. I’ll set up an account for you on the ‘enchilada’ server so you can map a drive and transfer the code.”

“Sure. What’s your number? I’ll call you after it’s done,” he said.

After we hung up, I was elated. No need to gain access to ATM—just leverage someone who already has it.

I went to the gym to work out, checking Gabe’s voicemail during a break to find a message from Art saying that he had finished. Awesome! Now I had trust and credibility. Why not go a little further and ask for another
small
favor? Right from the gym, I called Nevarez back and said, “Thanks, Art. Hey, sorry, but I just realized I also need 4.0 client utilities too.”

He sounded a little annoyed. “There are a lot of files on that server, and there’s not enough space left.”

“I’ll tell you what, I’ll take them off ‘enchilada’ to make room. I’ll call you when I’m done.”

After I finished working out, I went home, logged on, and transferred the files to an account I had created for myself at Colorado Supernet, the largest Internet service provider in Denver. The next day, Nevarez transferred the rest of the files for me, an operation that took him a long time because there was so much code.

Later when I asked him to transfer the server source code, he got suspicious and balked. As soon as his suspicions were raised, I dialed into Gabe’s voicemail and reset it to use the standard outgoing greeting so my voice would be erased. I certainly didn’t want a recording of my voice to be Exhibit A in some future court case.

Undiscouraged, I thought to myself,
There’s always something that’s more challenging and fun to hack
.

By this time, cell phones had shrunk a great deal from their earliest briefcase size. But they were still about as big as a man’s shoe and several times heavier. Then Motorola took a leap ahead of the rest of the industry with the first small, lightweight, well-designed mobile phone, the MicroTAC Ultra Lite. It looked like the Star Trek Communicator, the device Captain Kirk used for giving the command, “Beam me up, Scotty.” If the physical look of the phone was so different, the software that ran it surely must have a great many innovations as well.

I was still using the Novatel PTR-825 phone, the one I had conned Novatel into sending me the special chips for so that I could change the ESN from the keypad. It wasn’t anywhere near as sexy as the MicroTAC Ultra Lite. Maybe it was time for me to switch phones—
if
I could figure
out a way to get the same capabilities I had with the Novatel. I would somehow have to get the source code for the phone from Motorola. How hard would that be? It presented a very interesting challenge.

I was so eager to dive in that I asked Elaine, my boss at the law firm, if I could take off early to attend to a personal matter, and she said okay. I left at around three. On the long elevator ride down forty-five floors, a couple of the firm’s associates were joking about a big case they were working on: the firm was representing Michael Jackson. I smiled to myself, thinking back to when I used to work at Fromin’s Delicatessen. The Jackson family had a big house right down the street, on Hayvenhurst, and stopped in every once in a while for a deli lunch or dinner. Now here I was, on an elevator a thousand miles away, running from the FBI and the U.S. Marshals, employed by a prestigious law firm that was representing one of the most famous musicians in the world.